Bug 21029

Summary: libcrytopp new security issue CVE-2017-9434
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, jani.valimaa, lewyssmith, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: libcryptopp-5.6.5-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-06-06 12:12:54 CEST 
A CVE has been assigned for a very minor security issue in libcryptopp:
http://openwall.com/lists/oss-security/2017/06/06/2

The message above contains a link to the upstream ticket which has patches to fix this.  For some reason, even after accounting for the different line endings, I can't get the patch to apply, even though it looks OK.

Mageia 5 is also affected.
David Walser 2017-06-06 12:13:06 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-06-07 21:44:38 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2017-06-10 15:53:51 CEST

CC: (none) => jani.valimaa

Comment 2 Jani Välimaa 2017-06-11 09:34:01 CEST 
Pushed fixed version [1] with a patch from Gentoo to core/updates_testing for mga5.

[1] libcryptopp-5.6.3-1.4.mga5
Comment 3 Jani Välimaa 2017-06-11 09:37:47 CEST 
Freeze push requested for Cauldron's libcryptopp-5.6.5-3.mga6.
Rémi Verschelde 2017-06-11 12:37:40 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Rémi Verschelde 2017-06-11 12:38:26 CEST 
Assigning to QA, but an advisory is still needed before it can be validated.

Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2017-06-11 17:22:52 CEST 
Advisory:
========================

Updated libcryptopp packages fix security vulnerability:

Crypto++'s Zinflate class, used by classes like Gunzip and Inflator, could
perform an out-of-bounds read when decompressing data (CVE-2017-9434).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9434
http://openwall.com/lists/oss-security/2017/06/06/2
========================

Updated packages in core/updates_testing:
========================
libcryptopp6-5.6.3-1.4.mga5
libcryptopp-devel-5.6.3-1.4.mga5
libcryptopp-progs-5.6.3-1.4.mga5

from libcryptopp-5.6.3-1.4.mga5.src.rpm
Dave Hodgins 2017-06-13 05:15:38 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Lewis Smith 2017-06-13 17:42:54 CEST 
Testing M5_64

Updated to:
- lib64cryptopp6-5.6.3-1.4.mga5.x86_64
- libcryptopp-progs-5.6.3-1.4.mga5.x86_64

Testing as per https://bugs.mageia.org/show_bug.cgi?id=19937#c7
 $ cryptest v > tmp/cryptest_v
 $ less  tmp/cryptest_v
looking especially for fail|FAIL|Fail other than "Failed tests = 0".
fail: none
FAIL: none
Fail and not 'Failed tests = 0': none

As normal, the self-tests end with:
 CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading

Update deemed OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 7 Herman Viaene 2017-06-14 15:11:28 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues
Run cryptest as above, no failure occured. OK.

CC: (none) => herman.viaene
Whiteboard: advisory MGA5-64-OK => MGA5-64-OK MGA5-32-OK advisory

Lewis Smith 2017-06-14 17:20:15 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-06-14 17:53:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0175.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED